AlphaBay exit, Hansa-down: Dream on?

Recently, during Operation Bayonet two leading underground markets on the Dark Web took center stage in a joint policing effort of the Federal Bureau of Investigation (FBI) and the National High Tech Crime and Dark Web unit of the Dutch Police. In a coordinated sweep, the FBI succeeded in the takeover and subsequently take down of AlphaBay, while the Dutch Police took over, ran and shut down Hansa Market. By planning these actions sequentially, the police agencies expected criminals active on AlphaBay to make their way to Hansa Market – which at that moment was operated by the Dutch Police. This put the police agencies in a perfect position to not only disrupt the ecosystem, but also to collect valuable data on thousands of users.

To observe the first effects of Operation Bayonet, we studied the user-base on another underground market: Dream Market. This Market was established at the end of 2013 and has grown steadily ever since, making it a perfect market for our analysis. At the beginning of this year we recorded around 8,500 Dream Market users. Up until July 2017 Dream Market had about 20 new users per day. That changed significantly from July onwards, when Dream Market began acquiring more than 60 new users per day. On some days as many as 180 new users registered.

To properly assess the detailed effects of Operation Bayonet, we looked specifically at the newly registered vendors on Dream Market (n=195), their background and whether or not they changed their behaviour after the police operation. After obtaining the usernames of the 195 vendors that registered on Dream Market between July 1st and August 15th, we used Grams (a specific Dark Market search engine) to map specific characteristics of these vendors. Utilizing Grams, we determined where the vendor ‘migrated’ from: AlphaBay, Hansa Market, both, or whether they migrated to Dream Market from another market. We also determined if the username of the vendor was used before on underground markets, making this vendor to the regular buyer look like a ‘new’ vendor without any reputation. Next, we identified vendors that changed usernames, but stuck to their PGP-key, or that stuck to their username but changed PGP-keys.